CVE-2026-27828
Published: 26 March 2026
Summary
CVE-2026-27828 is a high-severity Use After Free (CWE-416) vulnerability in Linuxfoundation Everest. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the use-after-free flaw via the available patch in version 2026.02.0.
Implements memory protections to prevent unauthorized access or execution from freed memory locations like v2g_ctx exploited in this CVE.
Mandates error handling that avoids using freed resources during initialization failures, such as absence of IPv6 link-local address, before processing session_setup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in EVSE process (ISO15118 handler) is directly triggered over the network to crash the service, mapping to application/system exploitation for endpoint DoS.
NVD Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, ISO15118_chargerImpl::handle_session_setup uses v2g_ctx after it has been freed when ISO15118 initialization fails (e.g., no IPv6 link-local address). The EVSE process can be crashed remotely by an attacker with MQTT…
more
access who issues a session_setup command while v2g_ctx has been released. Version 2026.02.0 contains a patch.
Deeper analysisAI
CVE-2026-27828 is a use-after-free vulnerability (CWE-416) in the EVerest EV charging software stack, affecting versions prior to 2026.02.0. The flaw resides in the ISO15118_chargerImpl::handle_session_setup function, which attempts to use the v2g_ctx object after it has been freed, such as during ISO15118 initialization failures (e.g., absence of an IPv6 link-local address). This impacts the EVSE process within the stack.
An attacker with MQTT access can remotely exploit the vulnerability by issuing a session_setup command while v2g_ctx has been released, causing a crash of the EVSE process and resulting in a denial of service. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility, low attack complexity, no required privileges or user interaction, and high availability impact with no confidentiality or integrity effects.
The GitHub security advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-5g3v-qc79-qqwr documents the issue, noting that version 2026.02.0 contains a patch to resolve the use-after-free condition.
Details
- CWE(s)